The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".

Thursday, June 04, 2009

Links and stuff

Richard Bejtlich has an interesting post regarding incident ratings. I find Richard to have well-thought out and -reasoned views, and this is yet another example of that. When writing CSIRPs, we include things such as incident severity ratings for classification and escalation purposes, so having something like this, while perhaps a little complex for many organizations, is very important.

JL's been nice enough to post on some CEIC materials...cool stuff. Thanks for posting and making these materials available!

Over on OffensiveComputing, there's a link for OfficeMalScanner, which scans Office documents for malware, embedded PE files, and OLE streams. If VB code is found, it's reportedly extracted for analysis. This sounds pretty cool and a good thing to have in your toolkit, along with other means for malware detection.

The eEvidence site has been updated again! Christine has a way of finding some really cool papers and presentations...while they may not always be brand-spanking new, they are definitely topical and well worth reading and discussing.

Ed posted some good command-line kung fu for getting user and group information from a live system. For post-mortem analysis, I use RegRipper's samparse plugin for this...it not only parses out the user information, but also the group membership information, as well. Another interesting bit of analysis you can use this for is to determine all local users on the system; dumping the contents of the ProfileList key (from the Software hive) or during a 'dir' on the Documents and Settings directory will give you the list of users with profiles on the system, but this will not distinguish between local and domain users.